creation or verification of a subdocument digital signature that any reference to the 
comments objects be deleted prior to the transmission to the signature-generation 
program. 

17. A method according to claim 16, wherein the means for providing in the cover 
document a method of inserting comment objects comprises the insertion into the cover 
document of a link to a comment object. 

18. A method according to claim 16, wherein the means for providing in the cover 
document a method of inserting comment objects comprises the insertion between 
delineation objects the comment. 



Description 



CROSS-REFERENCE TO RELATED APPLICATIONS 
[0001] This application claims benefit of no related applications. 
TECHNICAL FIELD OF THE INVENTION 

[0002] This invention generally relates to an improvement in the management of multiple 
digital signatures within a master document. 

BACKGROUND OF THE INVENTION 

[0003] The use of digital signatures as is disclosed in U.S. Pat. No. 4,405,829 issued to 
Rivest et al. is a method well accepted for document authentication. The usual 
implementation of digital signatures involves the combination of the signer's personal 
private key with a hashed representation of a document to create a unique digital 
signature. 

[0004] There are sometimes problems associated with the authentication of documents 
using digital signatures. Digital signatures are attached to entire documents, while often 
there is a need to manage a hierarchy of signatures where signatures within the hierarchy 
are interrelated. Military logs, as an example, are a compilation of lesser documents 
(watches), each of which is the responsibility of a different individual. While the 
individual watches are subject to modification, such modification cannot be done without 
destroying the integrity of that watch signature and any higher-level approval signature. 
Treating the watches as a collection of individually sighed documents without a 
controlling structure is awkward. 

[0005] Previous document management schemes either do not allow for the management 
of the editing of signed documents or require programmed hierarchy information for 
verification purposes only. For example, in U.S. Pat. No. 5,915,024 by Kitaori et al 



allows separation of a master document into subdocuments and the signature generation 
for each subdocument, but does not allow editing and control of the establishment of the 
subdocuments as a part of the signature creation. 

[0006] The verification of such segmented documents is also addressed in U.S. Pat. No. 
5,661,805 by Miyauchi, allowing the inclusion of relational information to generate 
document verification but again does not address the maintenance of modifications to the 
se6tions subject to signature. 

[0007] FIG. 1 illustrates the problems associated with the normal document creation 
procedure. While this Figure and the following discussion describe a military log, it is 
intended that this be only an example of similar problems within and without the 
government. After individual watches are recorded (steps 1, 2 and 3 or 10, 1 1 and 12) 
they are presented to the officer of the day (OD) for review (step 4 or 13), and possibly 
correction (step 5 or 14). When corrected, any watch signature must be redone (step 6 or 
15). After the OD signs a watch (step 7 or 16) it is then reviewed by the Officer in Charge 
(OIC) (step 8 or 17). The OIC can order revisions (step 9 or 18). If revisions are then 
made to a watch, both the watch signature, if made, and the OD signature, if made, must 
be redone (step 6 or 15). The OIC then signs the watch entries as a final approval after all 
revisions are made (step 19), after which no corrections can be made (step 20). FIG. 6 
illustrates a military log showing some relationships of the log approvals. 

[0008] While the single watches can be signed as a single document in the traditional 
manner, the single acceptance signature signifying the approval of the collection of 
watches, and the invalidation of approval signatures if another watch in the collection of 
watches is modified makes desirable the compilation of the individually-signed watches 
as a unified document. 

[0009] An ancillary problem present in the approval process for documents is the case 
where a reviewer questions the content of a document he must approve prepared by 
another. Since often the review process is through a document transfer rather than a face- 
to-face meeting, such comments are often best managed by inclusion within the 
document under review. If an existing signature encompasses this document then the 
embedding of questions by a reviewer could cause the invalidation of the signature if 
steps were not taken to protect against that event. The inclusion of comments outside the 
document under review prevents a precise localization of the area under question within 
the document. The automatic revocation of a digital signature when a comment is 
inserted to avoid the presence of an invalid signature would cause an unnecessary 
resigning step if the comment were resolved without a change to the document. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0010] FIG. 1 illustrates a flow chart for the creation of a military watch document. 

[001 1] FIG. 2 illustrates a flow diagram for the use of the methods of this invention in the 
creation of a cover document and the creation, editing, signing and signature verification 



of subdocuments within the cover document. 

[0012] FIG. 3 illustrates the flow chart for the use of the methods of this invention in the 
creation of a hierarchy of approval signatures with each approval signature encompassing 
one or more subdocuments and zero or more approval signatures. 

[0013] FIG. 4 illustrates a modification of the flow chart of FIG. 2 for use with a server- 
based implementation of the creation of a cover document to control the creation of 
subdocuments, and the editing, signature generation and signature verification of the 
subdocuments. 

[0014] FIG. 5 illustrates a method for the creation of comments within the cover 
document without affecting the generation of digital signatures for the contents without 
the comments. 

[0015] FIG. 6 illustrates a military log incorporating the structure of this invention. 
TERMS DEFINED 

[0016] In the description of this invention the term "cover document" is applied to a 
document that serves as a protected container document for representations of the digital 
signatures and the subdocuments. The term "subdocument" is applied to a collection 
within the cover document of text, video, audio, graphical or pictorial data, or a mixture 
of these data forms, that is to be given a digital signature. The term "subdocument object" 
is applied to a separate representation of a subdocument that is created for manipulation 
during the process of editing, signature generation or signature verification. The term 
"approval signature" is applied to a digital signature that signs a range of the cover 
document including one or more subdocuments or digital signatures on the cover 
document. The term "approval range" is applied to the section or sections of the cover 
document to which a particular approval signature applies. 

SUMMARY OF THE INVENTION 

[0017] It is therefore the first object of this invention to provide a method for the control 
of the signature process to allow controlled creation, modification, signature generation 
and signature verification of the subdocuments in a single cover document. 

[0018] It is a second object of the present invention to provide approval signatures for 
any cover document approval range and to present in the cover document the approval 
signature and supporting approval signature information. 

[0019] It is a third object of the present invention to provide a method of applying 
comments in the cover document without affecting the digital signature of a subdocument 
or approval range that encompasses the comment. 

[0020] In order to achieve the above objects according to the first aspect of the present 



invention, there is provided a method of adding electronic signatures, comprising the 
steps of: 

[0021] creating a protected cover document for the creation, display and editing of the 
composite subdocuments and for controlling through the cover document access to the 
subdocuments for creation, editing, signature generation or signature verification; 

[0022] creating through a menu associated with the cover document an access to the 
subdocument for edit and display of the subdocument in the cover document; 

[0023] creating through a menu associated with the cover document the transmission of a 
subdocument object to a signature-generation program to allow creation of a digital 
signature for each subdocument and for the verification of that digital signature; and 

[0024] providing in the cover document a display and/or storage of any digital signature 
created for a subdocument, together with the information required or useful to use the 
digital signature. 

[0025] According to the second aspect of the present invention the steps described in the 
first aspect is augmented by the ability to add to the cover document approval signatures 
representing approval or acknowledgment of a section of the cover document. This 
allows a hierarchy of approval signatures on the cover document where each approval 
signature represents authority over an approval range of the cover document, possibly 
including subdocuments, subdocument signatures and other approval signatures. Control 
features conditioning obtaining an approval signature can be added, such as not allowing 
approval signatures unless the approved documents are signed, removing the approval 
signature if the subdocument is edited, prohibiting the editing of subdocuments within a 
signed approval signature range, or requiring a proper user authorization level before a 
user can generate an approval signature. This approval level can be established by an 
authorization level stored in the signature-generation PKI or by a list of authorized 
signers for any signature stored in the cover document control software. 

[0026] To achieve this second aspect of the present invention there is then provided a 
method of adding electronic signatures, comprising the steps of: 

[0027] creating a protected cover document for the creation, display and editing of the 
composite subdocuments and for controlling through the cover document access to the 
subdocuments for creation, editing, signature generation or signature verification; 

[0028] creating through a menu associated with the cover document the ability to access 
and edit a representation of the subdocument object that is then transferred to a visible, 
protected display in the cover document; 

[0029] creating through a menu associated with the cover document a means for the 
transmission of a subdocument to a signature-generation program to allow creation of a 
digital signature for each subdocument and for the verification of that digital signature; 



[0030] providing through a menu associated with the cover document a display and/or 
storage of any digital signature created for a subdocument, together with the information 
required or useful to use the digital signature; 

[003 1] providing through a menu associated with the cover document the generation of 
an approval signature for an approval range of the cover document including one or more 
subdocuments, any associated digital signatures and accompanying signature 
information, or other approval signatures; 

[0032] providing protection to the integrity of the approval signature by either preventing 
the editing of subdocuments within the approval range for a signed approval signature or 
destroying any approval signature whose approval range includes an edited subdocument; 
and 

[0033] providing in the cover document a display and/or storage of any approval 
signature, together with the information required or useful to use the approval signature. 

[0034] According to the third aspect of the present invention the steps described 
previously are augmented by the ability to add comments to the cover document. These 
comments could, for example, pertain to questions raised in the approval process. These 
comments are removed from the calculation of the subdocument digital signature 
according to the first aspect of this invention and any approval electronic signature 
generated according to the second aspect of this invention. The added comments can be 
either text, audio, graphical, images or video clips. To achieve this third aspect there is 
then provided a method of adding electronic signatures, comprising the steps of: 

[0035] providing in the cover document a method of inserting comment objects; and 

[0036] providing in the transmission of a subdocument object to a signature-generation 
program in the creation or verification of a subdocument digital signature that any 
reference to the comments objects be deleted prior to the transmission to the signature- 
generation program. 

DETAILED DESCRIPTION OF THE INVENTION 

[0037] The preferred embodiments of the present invention will be described in the 
following discussion in terms of the functionality provided by Microsoft Word, but the 
extension to other programmatic implementations is obvious to those skilled in the art. 

[0038] The First embodiment of the present invention is discussed with reference to FIG. 
2. A cover document is first created as represented by 100 to serve as a container for 
subdocuments created by more than one individual or at more than one time. This ' 
document is protected from user entry but the user has access to menu functions (101), 
including allowing the creation of a subdocument as shown in the path leading to 102. If 
the creation of a subdocument is selected, a subdocument area is reserved in the cover 



document, either as the first or last subdocument in the cover document or at a pre- 
selected or user-selected place within the cover document. This subdocument area is 
delineated by the creation of one or more reserved areas, or bookmarks, within the cover 
document. In the preferred embodiment this is accomplished by the creation in step 100 
of a password-protected Word document from a Word template document containing 
embedded macros accessed through toolbar icons to accomplish the functions shown in 
step 101. The preferred embodiment further creates a reserved space as shown in step 102 
by creating within the cover document a header bookmark and a body bookmark for each 
subdocument after all the previously existing subdocuments. 

[0039] There is also a menu item in the cover document menu selection 101 for the 
editing of subdocuments created in step 102. Since the editing of a previously signed 
document will destroy the validity of the signature, the user can be programmatically 
. prevented from editing a subdocument if there is a desire to maintain the current 
signature. If the user is allowed to edit a signed document and proceeds with the editing 
then as is shown in step 103, any previous digital signature attached in the cover 
document to the subdocument to be edited is destroyed and the subdocument becomes an 
unsigned document in the cover document. Alternatively, the destruction of any digital 
signature can be deferred until step 306 to allow destruction only in the case where the 
subdocument content is actually modified during the edit process. A subdocument object 
is created representing an image of this subdocument and this subdocument object is 
made accessible to the user and opened for editing as shown in step 103. If previous 
editing has created content in the subdocument then this previous content is copied from 
the cover document to the subdocument object as shown in step 104. In the preferred 
embodiment, this subdocument is opened as an unprotected, editable Microsoft Word 
Document inserted as an object within the cover Microsoft Word Document or created as 
a separate temporary Word Document. Any existing cover document content for the 
subdocument is copied from the body bookmark in the cover document and pasted into 
the editable Word document. This editable inserted Word document in the preferred 
embodiment can be formatted as required, as by the selection of a template for opening 
the subdocument. 

[0040] The user can be given full access to the subdocument object for editing with word 
processing tools well known in the trade to enter and modify the subdocument content as 
shown in step 105. When the user has finished with the edit, a menu item is selected 
which closes and copies the subdocument object to the cover document and then 
optionally destroys the subdocument object, as shown in steps 106 and 107. This allows a 
complete image of the subdocument to reside on the cover document with restricted 
access while allowing the creation as needed of full reproductions in the subdocument 
object. In the preferred embodiment this step is accomplished by allowing editing of the 
Microsoft Word document created in the previous step, then cutting and pasting that 
document into the subdocument body bookmark area of the cover document, which is 
maintained as a protected document. The Word document opened for edit is then deleted. 

[0041] While this discussion has described maintaining the master version of the 
subdocument in the cover document and creating an image of that master document to 



present for editing, it is within the scope of this invention to maintain the master copy of 
the subdocument as an embedded or external object, with a representation of the object in 
the cover document. In this implementation the subdocument object is not deleted 
between editing sessions, but access to the subdocument is still through the cover 
document in order to protect the subdocument from alteration. This is accomplished, as 
one example, by creating an embedded Microsoft Word document within the cover 
document, and maintaining the embedded document as a displayed document on the 
protected cover page, and programmatically limiting access to the embedded Word 
document for editing purposes. As another alternative, the subdocument can be 
maintained in the cover document and a portion of the cover document encompassing the 
subdocument opened up for editing while protecting the remainder of the document. 

[0042] Another possible menu selection in the cover document is the choice to digitally 
sign a subdocument, as shown in the selection path starting with 108. As in the menu 
selection for editing a subdocument, a subdocument object is created and any existing 
subdocument content is copied into the subdocument object, as shown in steps 108 and 
109. In the preferred embodiment, this subdocument is opened as a Microsoft Word 
Document inserted as an object within the cover Microsoft Word Document or created as 
a separate temporary Word Document. The contents of the subdocument body bookmark 
in the cover document are then copied and pasted into the subdocument object. Any 
desired deletions from the subdocument object content, e.g. formatting characters, can be 
removed from the subdocument object content. The subdocument object content is then 
communicated to a digital signature-generation external program or module, together 
with identifying information input by the user as shown in step 110. The process of 
generating the digital signature from the hashed representation of the content and the 
user's private key is well known in the literature. The digital signature-generation 
program or module will return a digital signature or an abort notice defining why the 
digital signature could not be created. The subdocument object is then destroyed as 
shown in step 1 12. This step can be performed before, after or simultaneously with the 
recording of information to the main document in step 111. 

[0043] If a digital signature is obtained, this is information is recorded in the cover 
document as shown in step 111 with appropriate delineation. This is accomplished in the 
preferred embodiment by copying the digital signature from the digital signature- 
generation program into the cover document and delineating the signature by the creation 
of a signature bookmark enclosing the signature in the cover document following the 
body bookmark, and an enclosing box visible in the cover document. If the digital 
signature cannot be obtained, as, for instance, when the user identity is not recognized by 
the signature-generation program, the reason for the failure of the signature generation as 
contained in the abort notice is displayed to the user. The digital signature can be 
augmented by additional information commonly associated with the digital signature, e.g. 
the date and identity of the signer or the public key of the signer. Any amount of this 
information, for example the public key, can be represented in a non-printing form, such 
as hidden text or an embedded object, to avoid encumbering the appearance of the cover 
document while keeping the information available for verification purposes. 



[0044] At the time the cover document is created the format of the cover document can 
be made to be in a form suitable for printing or data parsing. In the preferred embodiment 
this is accomplished by the creation of the cover document through a Microsoft Word 
template document (-DOT), which also contains the macros for the creation of the menus 
and their implementation. This document form can reflect the presence and location of 
the subdocuments and digital signatures and the status of a subdocument, e.g. unsigned 
documents being highlighted or distinctively outlined, or the number of subdocuments 
being displayed in the cover document. 

[0045] Another possible menu selection associated with the cover document is the choice 
to verify the digitally signed subdocument, as shown in the selection path starting with 
1 13. As in the menu selection for editing a subdocument, a subdocument object is created 
and any existing subdocument content is copied into the subdocument object, as shown in 
steps 113 and 1 14. In the preferred embodiment, this subdocument is opened as a 
Microsoft Word Document inserted as an object within the cover Microsoft Word 
Document. The contents of the subdocument body bookmark in the cover document are 
then copied and pasted into the subdocument object and edited to remove undesired 
characters. In step 115 a digital signature is generated from the subdocument object 
content as was done in step 110 with the exception that in step 1 1 5 the user identification 
information is obtained from the cover document. The generated digital signature is 
compared with the digital signature stored in the cover document previously obtained in 
step 1 10. An agreement of these digital signatures is an indication that the digital 
signature recorded on the cover document is valid, and therefore the document has not 
been modified. It should be noticed that this verification function is an internal feature of 
many signature-generation programs and in that case the comparison need not be done 
within the cover document control program. 

[0046] A discussion of the second embodiment of this invention will be made with 
reference to FIG. 3. This embodiment allows the creation of a hierarchy of signed 
subdocuments where an approval signature can be added to the cover document 
encompassing a range of cover document content, possibly including subdocuments, 
subdocument signatures and/or associated information, and other approval signatures 
and/or associated information. 

[0047] A cover document is created and one or more subdocuments are created and then 
signed in this cover document as has been previously described and as is indicated by 
steps 200-206. A range of the cover document to be encompassed by the approval 
signature (the "approval range") is determined, possibly including these subdocuments, 
associated digital signatures and other approval signatures. This approval range can be 
predefined or user-selectable, and need not be contiguous. The approval range may be 
indicated on the cover document either by the position of the subdocuments and approval 
signature in the cover document or by a selection process and an indication within the 
cover document of the range of subdocuments approved. If desired, the approval can be 
prohibited programmatically if one or more subdocuments within the approval range 
have no digital signature. 



[0048] The content of the approval range is copied to a subdocument object and a digital 
signature is created from this content together with user-input signer identification 
information as shown in step 207. The generation of this signature is in the same form as 
was utilized in FIG. 2 steps 108-1 12, consisting of the editing of the subdocument object 
to remove content not to be included in the digital signature, communication to an 
external signature-generation program and reception of the digital signature from that 
signature-generation program. The generation of the digital signature can be made 
conditional on the approval level of the user in relation to the approval level required for 
the range that is to be approved. When a level of approval is required, this approval level 
can be determined based on the subdocuments covered or the level of embedded approval 
signatures or by any other desired criteria. The approval level can be stored in the cover 
document with reference to approval levels stored in the PKI interface in the signature- 
generation program or module, or alternatively the cover document can store a list of 
allowed signers. The approval digital signature and any desired ancillary information are 
stored in the cover document, either as a text message, a hidden text message or as a 
subdocument object, or by any combination of these media. If subsequently any 
subdocument within this approval range is edited, any approval signature whose range 
encompasses this subdocument must be removed, as indicated by steps 208 and 209. 

[0049] Higher-level approval signatures can be generated as indicated by step 213, 
encompassing ranges of approved subdocuments, as in steps 201-207, and additional 
subdocuments as in step 207. As in the generation of the lowest level approval signature 
the higher-level approvals represent a range on the cover document including the digital 
signatures represented on the cover document. The inclusion of the nested digital 
signatures assures the integrity of the documents and approvals within any level approval 
range. 

[0050] Provision may be made for the removal of document signature generation and 
editing capability in the cover document when a level of approval is achieved. It is often 
desirable to programmatically disable these functions for subdocuments within an 
approval range after that approval signature has been entered. This is shown as step 214 
locking the entire document after the highest level of approval signature, represented by 
step 213, but could be implemented at a lower level. For example, at step 210, editing of 
all subdocuments within that approval range could be programmatically prohibited. 

[0051] The second embodiment of this invention is accomplished in the preferred 
embodiment by programmatically selecting a section of the cover document, including, 
since the cover document is a flat file, any subdocuments and digital signatures within 
this selection. This selection is then copied to a separate Microsoft Word Document 
opened as an object within the cover Microsoft Word Document or created as a separate 
temporary Word Document. The separate Microsoft Word Document is edited to remove 
content, such as formatting characters, that it is desired not to include in the digital 
signature and then exported to the signature-generation program or module. This 
signature-generation program returns an abort notice that is communicated to the user if 
the digital signature cannot be generated, or a digital signature, which is then copied into 
an appropriately formatted area within the cover document. The formatted area, including 



the digital signature, is delineated with an appropriately named bookmark to facilitate the 
deletion of the bookmark when an included subdocument is edited or to allow an easy 
search for the presence of an approval signature to programmatically disallow edits of 
subdocuments within the signature area. 

[0052] In the first and second embodiments there is the export from an embedded 
document to an external digital signature-generation program. A common problem 
associated with the digital signing of a general document is the metadata contained in the 
document will prevent a document reproduced with the document's content from having 
the same hash function as a different version with the same content. In many cases, this 
can be avoided when the message consists only of the content of the subdocument by the 
export of the data as a text or binary file or transmission with no metadata. In other cases 
the metadata can be spoofed, as, for example, the regeneration in a consistent manner 
within a Word document of the metadata in order to avoid changing the dates, authors, 
version numbers, etc., so as to consistently generate identical Word files on different 
occasions. In the preferred embodiment, directed to military logs, the content was text 
and exported as a text file, but that is not a limitation on the general application of this 
invention. 

[0053] In some cases the record of the sequence of signature generation and removal is of 
interest for audit purposes. At the time of any signature generation in either the first or 
second embodiment of this invention the fact and conditions of signature generation, 
deletion, or the failure to generate a digital signature can be appended to an internal or 
external audit log by the program. 

[0054] The previous description of the first and second embodiments of this invention . 
described maintaining the primary record of the subdocument in the cover document and 
the generation of auxiliary web documents for user input. When the cover document is 
maintained in a document server it may be preferable to maintain the cover document as 
a read-only file on the server. Creation, editing, signature generation and signature 
verification can be by the generation of a browser-readable web presentation, e.g. a 
HTML document, representing the information in a subdocument. Editing can be then 
accomplished by providing for the creation of a web page displaying the contents of the 
subdocument area of the cover page, with the contents of the subdocument being exposed 
for editing in the web page. The communication to this presentation can be by the 
program controlling the cover document opening a socket to the presentation, file transfer 
or any other means of inter-program communication. 

[0055] FIG. 4 represents the flow diagram for such a generalized interface. The read-only 
cover document created in step 300 can be either a text document or a database 
containing the subdocuments, approval signatures and ancillary information for 
presentation to the user through a report-generation program (such as Crystal Reports by 
Crystal Decisions, Inc.). Step 302 represents the creation of a subdocument as either a 
reserved area within a text document or a field within a database. If the edit function is 
selected the subdocument is presented to the user in an editable form, such as a browser 
text box. Any digital signature associated with an edited subdocument can be destroyed 



in step 303 or the decision to destroy the signature can be deferred i until later in step 306 
so the signature removal would only take place in the event the subdocument content is 
actually modified. 

r00561 The user modifies the information in steps 304 and 305, through a browser- 
readable document or other user interface. In step 306 the subdocument in the cover 
document is updated by the information received from the user and the user view is 
removed in step 307. When the signature generation function is chosen the user 
identification is obtained from the user in step 308, and transferred by the program 
controlling the cover document to a signature-generation external program or internal 
module. When the digital signature is generated the cover document is updated as shown 
in step 3 1 1 . A standard signature-generation program, such as the Java-based Trust 
Services Integration Kit by Verisign, Inc., can be used for communication jto commercial 
PKI centers or many available digital signature modules, such as GnuPG by the tree 
Software Foundation, Inc., can be used to generate a localized PKI interface -These 
programs allow for signature verification as provided in step 313, and the validity 
information is presented to the user in step 314. 

[0057] FIG 3 assumes the generation of subdocuments in the manner described with 
reference to FIG. 2, and is equally valid for subdocuments generated m the manner 
described in FIG. 4. The generation of approval signatures from subdocuments generated 
in the manner of FIG. 4 proceeds from a server-based cover document that is either a text 
document or database. A space or database field in the cover document is reserved for the 
approval signature and subdocuments, approval signatures, and associated information 
associated with an approval signature range is either predefined or subject to user 
selection. The user identification is presented to the signature generation program 
together with the content of the signature approval range in a manner consistent with the 
signature verification module and the format of the signature generation module in step 
207 The user communication for the identity input can be through a user-viewable 
document containing a browser-readable presentation, e.g. a HTML document and can be 
by means of file transfer, opening a socket to or from the presentation, or any other 
method of program communications. 

[0058] In the user identification required for the generation of the digital signature use 
may be made not only by use of a username and password but also the readmg of 
physical tokens or user characteristics such as RFID keys, proximity cards, biometnc 
readers "smart cards", and other personal identification as a means to augment the 
integrity of the verification. An example of the use of such tokens would be the readmg 
of the electronically readable military ID cards in the case to verify the user's possession 
of this form of identification before allowing digital signature generation in the case of 
military logs. 

[0059] A discussion of the third embodiment of this invention will be made with 
reference to FIG. 5. In the process of creation, review and approval of a document with 
subdocuments there are often cases where questions regarding a subdocument are raised 
by reviewers. In these cases the subdocument may have been digitally signed and the 



insertion of the comments would ideally be separable from the signed documents so as 
not to invalidate the signatures when the comments are resolved with no changes to the 
documents. To achieve this desired functionality, provision is made for the insertion into 
the cover document of a comment object. This comment object can be in any data form 
including text, audio, image or video. Steps 301 and 302 illustrate the process for the 
object insertion. In the process of treating subdocuments illustrated by FIG. 2, the steps 
of 108-109 and 113-1 14 can be replaced by the steps of 303-305. When the subdocument 
is copied from the cover document to the subdocument object for signature processing, 
all references to the embedded comments are removed. This removal can also be 
accomplished during the process of copying in step 304 rather than in step 305. 

[0060] The comment can be added by either, inserting an embedded object containing the 
comment, a link to a comment object, or embedding the comment between a delineation 
character or character combination. The preferred embodiment of this third embodiment 
is accomplished by inserting in the cover document Microsoft Word comments, and 
removing these comments after the image of the subdocument or approval range is 
created for transfer to the signature-generation program for the calculation of the digital 
signature or the signature verification. 



